diff options
| -rw-r--r-- | conntrack.8 | 4 | ||||
| -rw-r--r-- | src/conntrack.c | 5 |
2 files changed, 9 insertions, 0 deletions
diff --git a/conntrack.8 b/conntrack.8 index 031eaa4..3b6a15b 100644 --- a/conntrack.8 +++ b/conntrack.8 @@ -193,6 +193,10 @@ Use multiple \-l options to specify multiple labels that need to be set. Specify the conntrack label to add to the selected conntracks. This option is only available in conjunction with "\-I, \-\-create", "\-A, \-\-add" or "\-U, \-\-update". +As a rule of thumb, you must use either the 'connlabel' match in your iptables +ruleset or the 'ct label' statement in your nftables ruleset, this turns on the +ct label support in the kernel and it allows you to update labels via +"\-U, \-\-update", otherwise label updates are ignored. .TP .BI "--label-del " "[LABEL]" Specify the conntrack label to delete from the selected conntracks. diff --git a/src/conntrack.c b/src/conntrack.c index f9758d7..c1551ca 100644 --- a/src/conntrack.c +++ b/src/conntrack.c @@ -2195,6 +2195,11 @@ static int mnl_nfct_update_cb(const struct nlmsghdr *nlh, void *data) /* the entry has vanish in middle of the update */ if (errno == ENOENT) goto destroy_ok; + else if (cmd->options & (CT_OPT_ADD_LABEL | CT_OPT_DEL_LABEL) && + !nfct_attr_is_set(ct, ATTR_CONNLABELS) && + errno == ENOSPC) + goto destroy_ok; + exit_error(OTHER_PROBLEM, "Operation failed: %s", err2str(errno, CT_UPDATE)); |